If you're looking to deploy firewalls as part of a security perimeter around Internet-facing servers, you've got several options. Lenny Zeltser explains in this article how you can use one or more firewalls to separate network resources in a way that matches the business and technical requirements of multitier applications.

From the author of

This article examines considerations for deploying firewalls as part of a
network perimeter around Internet-facing servers. The discussion focuses on
situations that may warrant strict separation of network resources into
dedicated subnets, and it explains how to enforce access restrictions using
firewalls in a way that matches the company's business and technical
requirements. The article introduces several network architectures that use a
single firewall as well as firewalls deployed one behind another in series, and
addresses the strengths and weaknesses of each approach.

Partitioned network architectures can be used to protect multitier
applications accessible over the Web. Following the trend of designing
applications in an expandable and scalable manner, these applications are often
created by using modules that run on different servers and that typically form
three distinct groups: presentation, middleware, and data tiers. Let's
begin by examining how the architecture of such applications may influence the
design the network's security perimeter.

Multitier Applications

By segmenting a Web-based application into several logical tiers, software
architects isolate core functional areas into groupings that can be designed,
developed, and maintained somewhat independently of each other. The following
tiers are present in some way in most Web-facing applications of moderate
complexity:

Presentation components are usually adjacent to the Internet and
are the only modules directly accessed by end users. Such publicly accessible
services are often implemented using Web, DNS, and mail servers. Software
running on these servers, operating as part of a unified system, presents the
application to users and handles interactions between users and back-end
components. Programmable logic of the application at this tier is implemented
using mechanisms such as CGI scripts, servlets, JavaServer Pages (JSPs), and
Active Server Pages (ASPs) that are used to generate the application's user
interface. In addition to interacting with human users, presentation systems may
communicate with other hosts across the Web, frequently through the use of
protocols such as SOAP, ebXML, and WSDL.

Middleware components execute business logic of the application in
response to requests issued by presentation servers on the user's behalf;
they are not directly accessed by end users. Such middleware components are
usually implemented using application servers such as BEA WebLogic, IBM
WebSphere, and iPlanet Application Server, as well as via custom daemon-style
programs. Application servers provide an environment within which middleware
components can operate. They are based on frameworks such as Enterprise Java
Beans (EJBs), CORBA, and .NET. Other servers at the middleware tier provide
auxiliary services that collaborate with the application server and may host
application-level authentication and authorization mechanisms such as those
implemented by Netegrity SiteMinder and Entrust GetAccess.

Data components are typically hosted by database and directory
servers that run software such as Oracle Database and iPlanet Directory Server.
They may also be implemented using custom programs and flat files. These are
typically the most confidential resources of the application because they
maintain sensitive data such as customer records, account information, and
monetary transaction statements.

This article discusses applications that define three distinct tiers, but
these concepts are expandable to four and more tiers as well. The logical view
of a Web-based multitier application is presented in Figure 1. Sample workflow
of an application built according to this architecture can be described as
follows:

An Internet user issues a request via a Web browser to the Web
server.

The Web server preprocesses the request and relays it to the application
server.

The application server obtains necessary information from the database,
processes the request, and responds to the Web server. The Web server, in turn,
formats and displays the response to the user.

Multitier architecture of the application allows you to design the network in
a way that mirrors the grouping of the application's components so that you
can segment resources based on their exposure sensitivity and the likelihood
that they can be compromised. Let's proceed by examining how to host a
multitier application on one subnet behind a single firewall.